b'                     OFFICE OF\n             THE INSPECTOR GENERAL\n                   U.S. NUCLEAR\n             REGULATORY COMMISSION\n\n\n                   Audit of NRC\xe2\x80\x99s Generic Communications\n                                  Program\n\n                     OIG-05-A-19      September 30, 2005\n\n\n\n\n                      AUDIT REPORT\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                          September 30, 2005\n\n\n\n\nMEMORANDUM TO:              Luis A. Reyes\n                            Executive Director for Operations\n\n\n\nFROM:                       Stephen D. Dingbaum/RA/\n                            Assistant Inspector General for Audits\n\n\nSUBJECT:                    AUDIT OF NRC\xe2\x80\x99S GENERIC COMMUNICATIONS\n                            PROGRAM (OIG-05-A-19)\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) audit report, Audit of\nNRC\xe2\x80\x99s Generic Communications Program.\n\nThe audit identified generic communications, specifically, safeguards advisories,\nthat are issued outside of NRC\'s existing regulatory framework. As a result, the\nagency (1) may be unable to pursue actions requested or required of licensees in\nits generic communications, and (2) compromises its openness policy, thereby\naffecting the public\'s confidence in NRC\'s regulatory processes and decision-\nmaking.\n\nAdditionally, controls for oversight of licensee actions on generic communications\nare inadequate and NRC did not employ a sound methodology when conducting\nits effectiveness assessment of the Generic Communications Program. As a\nresult, the agency risks the potential loss of safety/regulatory data and lacks\nassurance that its generic communications are effective.\n\nComments from the September 6, 2005, exit conference and your September 27,\n2005, written comments have been incorporated, as appropriate, in our final\nreport. Appendix B contains the agency\xe2\x80\x99s formal written response in its entirety.\nAppendix C presents OIG\xe2\x80\x99s detailed analysis of the formal comments.\n\nIf you have any questions or wish to discuss other issues, please call\nAnthony Lipuma at 415-5910 or me at 415-5915.\n\nAttachment: As stated\n\x0cDistribution\n\nJohn T. Larkins, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nG. Paul Bollwerk, III, Chief Administrative Judge, Atomic Safety andT\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJesse L. Funches, Chief Financial Officer\nJanice Dunn Lee, Director, Office of International Programs\nWilliam N. Outlaw, Director of Communications\nWilliam N. Outlaw, Acting Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nWilliam F. Kane, Deputy Executive Director for Reactor\n  and Preparedness Programs, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Research,\n  State and Compliance Programs, OEDO\nJacqueline E. Silber, Deputy Executive Director for Information Services\n   and Administration, and Chief Information Officer, OEDO\nWilliam M. Dean, Assistant for Operations, OEDO\nTimothy F. Hagan, Director, Office of Administration\nMichael R. Johnson, Director, Office of Enforcement\nGuy P. Caputo, Director, Office of Investigations\nEdward T. Baker, Director, Office of Information Services\nJames F. McDermott, Director, Office of Human Resources\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJack R. Strosnider, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nCarl J. Paperiello, Director, Office of Nuclear Regulatory Research\nPaul H. Lohaus, Director, Office of State and Tribal Programs\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\n\x0c                                          Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\nEXECUTIVE SUMMARY\n\n   BACKGROUND\n\n        The Nuclear Regulatory Commission\xe2\x80\x99s (NRC) primary method of\n        communicating concerns or issues to licensees is through generic\n        communications, i.e., transmittals to one or more classes of licensees.\n        NRC issues several types of generic documents to its licensees and\n        stakeholders in order to communicate significant industry operating\n        experience, request action or information on safety concerns, or\n        provide guidance on issues of regulatory interest. NRC encourages\n        voluntary industry cooperation and participation in the agency\xe2\x80\x99s\n        Generic Communications Program.\n\n        NRC\xe2\x80\x99s Generic Communications Program identifies four\n        communication products - bulletins, generic letters, regulatory issue\n        summaries, and information notices. The first three of the four\n        communiqu\xc3\xa9s can request actions or require responses from\n        licensees; information notices are to simply provide information.\n        However, Generic Communications Program products cannot be used\n        to impose new requirements or mandatory actions. The\n        communication tool used for imposing mandatory regulatory\n        requirements is an NRC Order.\n\n        The Office of Nuclear Reactor Regulation (NRR) has primary\n        responsibility for implementing the agency\xe2\x80\x99s Generic Communications\n        Program. In addition to NRR, the Office of Nuclear Material Safety and\n        Safeguards issues generic communications to its materials licensees\n        and the Office of Nuclear Security and Incident Response issues\n        security-related generic communications to all classes of NRC\n        licensees. After issuance of a generic communication, the applicable\n        NRC program office conducts follow-up activities, including monitoring\n        and assessing licensees\xe2\x80\x99 performance related to generic\n        communications.\n\n                Prior Agency Assessments\n\n        Over the past 10 years, a number of agency self-assessments have\n        identified weaknesses in the Generic Communications Program. In\n        response, the agency implemented a number of corrective actions,\n        including revisions to internal policies and procedures.\n\n\n\n                                    i\n\x0c                                        Audit of NRC\xe2\x80\x99s Generic Communications Program\n\nPURPOSE\n\n      The purpose of this audit was to assess the effectiveness of the\n      Generic Communications Program, specifically:\n\n      \xc2\xbe whether NRC generic communications are issued in accordance\n        with the Generic Communications Program and other regulatory\n        requirements, and\n\n      \xc2\xbe how NRC tracks licensee actions on generic communications.\n\nRESULTS IN BRIEF\n\n      Through its Generic Communications Program, NRC has an\n      established framework for developing and issuing certain generic\n      communications. However, OIG identified weaknesses with the\n      agency\xe2\x80\x99s internal controls over generic communications. Specifically,\n\n       A.     safeguards advisories (i.e., a security-related generic\n              communication) are issued outside of NRC\xe2\x80\x99s existing\n              regulatory framework,\n\n       B.     controls for oversight of licensee actions on generic\n              communications are inadequate, and\n\n       C.     NRC\xe2\x80\x99s self-assessment\xe2\x80\x99s conclusion of Generic\n              Communications Program effectiveness is not supported.\n\n      These issues exist primarily because NRC management has not\n      followed existing policies and procedures by developing and issuing\n      generic communications outside of the agency\xe2\x80\x99s regulatory framework.\n      Without application of adequate internal controls to ensure that agency\n      communications are promulgated in accordance with applicable\n      regulatory requirements, the agency may be unable to pursue actions\n      requested or required of licensees in its generic communications, and\n      may compromise its openness policy, thereby affecting the public\xe2\x80\x99s\n      confidence in NRC\xe2\x80\x99s regulatory processes and decision-making.\n\n      Furthermore, NRC\xe2\x80\x99s controls for oversight of licensee actions on\n      generic communications are inadequate and the agency did not\n      employ a sound methodology when conducting its effectiveness\n      assessment of the Generic Communications Program. As a result,\n      NRC risks the potential loss of safety/regulatory data and lacks\n      assurance that its generic communications are effective.\n                                  ii\n\x0c                                      Audit of NRC\xe2\x80\x99s Generic Communications Program\n\nRECOMMENDATIONS\n\n     This report makes four recommendations to the Executive Director for\n     Operations to strengthen the agency\xe2\x80\x99s oversight and controls of its\n     generic communications.\n\nOIG ANALYSIS OF AGENCY COMMENTS\n\n     At an exit conference with agency senior executives held on\n     September 6, 2005, NRC officials generally agreed with most of the\n     report\xe2\x80\x99s findings and recommendations. Subsequent to that meeting,\n     NRC provided informal comments on the draft report and OIG met with\n     NRR management to address specific issues and concerns needing\n     further clarification and/or explanation. On September 27, 2005, the\n     Deputy Executive Director for Reactor and Preparedness Programs,\n     Office of the Executive Director for Operations, provided a formal\n     response to this report in which the staff generally concurs with the\n     report\xe2\x80\x99s findings and recommendations. The Deputy Executive\n     Director\xe2\x80\x99s transmittal letter and specific comments on this report are\n     included as Appendix B.\n\n     This final report incorporates revisions made, where appropriate, as a\n     result of the subsequent meeting and the agency\xe2\x80\x99s informal and formal\n     written comments. Appendix C contains OIG\xe2\x80\x99s specific responses to\n     the agency\xe2\x80\x99s comments.\n\n\n\n\n                                iii\n\x0c                     Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               iv\n\x0c                                  Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\nABBREVIATIONS AND ACRONYMS\n\n       ACRS         Advisory Committee on Reactor Safeguards\n       CFR          Code of Federal Regulations\n       CRGR         Committee to Review Generic Requirements\n       FTE          full-time equivalent\n       MD           Management Directive\n       NMSS         Office of Nuclear Material Safety and Safeguards\n       NRC          Nuclear Regulatory Commission\n       NRR          Office of Nuclear Reactor Regulation\n       NSIR         Office of Nuclear Security and Incident Response\n       OGC          Office of the General Counsel\n       OIG          Office of the Inspector General\n       OMB          Office of Management and Budget\n       Task Force   Davis-Besse Lessons Learned Task Force\n\n\n\n\n                            v\n\x0c                     Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               vi\n\x0c                                                              Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\nTABLE OF CONTENTS\n\n    EXECUTIVE SUMMARY.................................................................................. i\n\n    ABBREVIATIONS AND ACRONYMS ...............................................................v\n\n    I.     BACKGROUND ....................................................................................... 1\n\n    II.    PURPOSE................................................................................................ 4\n\n    III.   FINDINGS ................................................................................................ 5\n\n             A.     SAFEGUARDS ADVISORIES ARE ISSUED OUTSIDE OF NRC\xe2\x80\x99S\n                    EXISTING REGULATORY FRAMEWORK ................................................ 5\n\n             B.     CONTROLS FOR OVERSIGHT OF LICENSEE ACTIONS ON GENERIC\n                    COMMUNICATIONS ARE INADEQUATE ............................................... 17\n\n             C.     NRC\xe2\x80\x99S SELF-ASSESSMENT\xe2\x80\x99S CONCLUSION OF GENERIC\n                    COMMUNICATIONS PROGRAM EFFECTIVENESS IS NOT\n                    SUPPORTED .................................................................................. 20\n\n    IV.    CONSOLIDATED LIST OF RECOMMENDATIONS .............................. 23\n\n    V.     AGENCY COMMENTS .......................................................................... 24\n\n    APPENDICES\n\n             A.     SCOPE AND METHODOLOGY .................................................. 25\n             B.     FORMAL AGENCY COMMENTS ............................................... 27\n             C.     DETAILED OIG ANALYSIS OF AGENCY COMMENTS ............. 33\n\n\n\n\n                                                     vii\n\x0c                     Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              viii\n\x0c                                                              Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\nI.    BACKGROUND\n\n                 The Nuclear Regulatory Commission\xe2\x80\x99s (NRC) primary method of\n                 communicating concerns or issues to licensees is through generic\n                 communications. The agency defines generic communications as\n                 \xe2\x80\x9ctransmittals to one or more classes of licensees.\xe2\x80\x9d NRC issues several\n                 types of generic documents to its licensees and stakeholders in order\n                 to communicate significant industry operating experience, request\n                 action or information on safety concerns, or provide guidance on\n                 issues of regulatory interest. NRC encourages voluntary industry\n                 cooperation and participation in the agency\xe2\x80\x99s Generic Communications\n                 Program.\n\n                          NRC\xe2\x80\x99s Generic Communications Program\n\n                 The Generic Communications Program identifies four communication\n                 products - bulletins, generic letters, regulatory issue summaries, and\n                 information notices. The first three of the four communiqu\xc3\xa9s can\n                 request actions or require responses from licensees; information\n                 notices are to simply provide information. However, Generic\n                 Communications Program products cannot be used to impose new\n                 requirements or mandatory actions. The communication tool used for\n                 imposing mandatory regulatory requirements is an NRC Order.1\n\n                 Table 1 summarizes the intended purpose of each of the four Generic\n                 Communications Program products.\n\n\n\n\n1\n NRC Orders are regulatory requirements that may modify, suspend, or revoke a license; instruct a licensee to\ncease and desist from a given practice or activity, or to take such other action as may be proper.\n                                                       1\n\x0c                                                                Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\n\n                                                    Table 1\n\n                          NRC Generic Communications Program\xe2\x80\x99s\n                          Officially Recognized Products and Uses\n\n\n                                                                                                   Can Require\n  Type                                       Issuance Purpose                                      Response or\n                                                                                                     Request\n                                                                                                      Action\n              \xe2\x80\xa2    share urgent risk-significant issues\n                                                                                                          Yes\nBulletins     \xe2\x80\xa2    can be issued on an expedited basis without extensive formal interaction with\n                   industry\n\n              \xe2\x80\xa2    have licensees perform analyses or submit descriptions of proposed\n                   corrective actions on matters of safety, safeguards, or the environment and            Yes\n                   may request written submittals that they have completed the requests with or\n                   without prior NRC approval of the action\nGeneric\nLetters       \xe2\x80\xa2    request technical information that NRC needs to perform its functions\n\n              \xe2\x80\xa2    submit proposed changes to technical specifications\n\n              \xe2\x80\xa2    document NRC endorsement of the resolution of issues addressed by\n                   industry-sponsored initiatives                                                           Yes\n                                                                                                   (but response is\n              \xe2\x80\xa2    solicit voluntary licensee participation in pilot programs                      strictly voluntary)\nRegulatory\nIssue         \xe2\x80\xa2    inform licensee of opportunities for regulatory relief\nSummaries\n              \xe2\x80\xa2    announce staff technical or policy positions not previously communicated to\n                   industry or not broadly understood\n\n              \xe2\x80\xa2    address matters previously reserved for administrative letters\n\n\n              \xe2\x80\xa2    bring significant, recently identified operating experience about safety,               No\n                   safeguards, or environmental issues to the attention of the nuclear industry.\nInformation        [Addressees are expected to review the information for applicability to their\nNotices            facilities and consider actions, as appropriate, to avoid similar problems.]\n\n              \xe2\x80\xa2    do not convey or imply new requirements or interpretations\n\n\n\n                     Generic Communications Program Responsibilities\n\n                  The Office of Nuclear Reactor Regulation (NRR) has primary\n                  responsibility for implementing the agency\xe2\x80\x99s Generic Communications\n                  Program, including providing guidance regarding the development,\n\n                                                          2\n\x0c                                                          Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n                processing, closeout, and follow-up activities. NRR staff work with\n                NRC\xe2\x80\x99s four regions and other program offices to ensure public health\n                and safety by systematically monitoring reactor-related events, reports,\n                and data to determine the need for a generic communication.\n\n                In addition to NRR, the Office of Nuclear Material Safety and\n                Safeguards (NMSS) issues generic communications to its materials\n                licensees and the Office of Nuclear Security and Incident Response\n                (NSIR) issues security-related generic communications to all classes of\n                NRC licensees.\n\n                After issuance, the applicable NRC program office conducts follow-up\n                activities, including monitoring and assessing licensees\xe2\x80\x99 performance\n                related to generic communications.\n\n                         Generic Communications Program Budget and Resources\n\n                Although NMSS and NSIR each expend resources in the development\n                of generic communications, only NRR identifies the budget and\n                resources for Generic Communications Program activities. For\n                FY 2005, the agency budgeted $72,000 (including $12,000 of\n                carryover funds from FY 2004) for estimated activity within NRR\xe2\x80\x99s\n                Generic Communications Program and 8.7 full-time equivalents (FTE)\n                for generic communications and compliance activities. Actual\n                expenditures for FY 2004 were $43,000 and 6.06 FTE.\n\n                NRR does not budget resources for generic communications\n                completed by NMSS or NSIR. Because these two program offices do\n                not specifically identify resources attributed to generic communications\n                activities as separate budget line items, the Office of the Inspector\n                General (OIG) could not determine the level of actual resources (FTE\n                and dollars) expended.\n\n                         Prior Agency Assessments\n\n                Over the past 10 years, a number of agency self-assessments2 have\n                identified weaknesses in the Generic Communications Program. In\n                response, the agency implemented a number of corrective actions,\n                including revisions to internal policies and procedures.\n\n\n2\n 1995 SECY-95-063, Final Report on NRC Analysis and Response to the Towers Perrin Nuclear Regulatory\nReview Study, dated March 15, 1995; Davis-Besse Reactor Vessel Head Degradation Lessons-Learned Task\nForce Report, dated September 30, 2002; and Effectiveness Review of Lessons Learned Task Force Reports,\ndated August 2, 2004.\n                                                    3\n\x0c                                          Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\nII.   PURPOSE\n\n         The purpose of this audit was to assess the effectiveness of the\n         Generic Communications Program, specifically:\n\n         \xc2\xbe whether NRC generic communications are issued in accordance\n           with the Generic Communications Program and other regulatory\n           requirements, and\n\n         \xc2\xbe how NRC tracks licensee actions on generic communications.\n\n         Appendix A provides a detailed description of the audit\xe2\x80\x99s scope and\n         methodology.\n\n\n\n\n                                     4\n\x0c                                                                Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\nIII.      FINDINGS\n\n                  Through its Generic Communications Program, NRC has an\n                  established framework for developing and issuing certain generic\n                  communications. However, OIG identified weaknesses with the\n                  agency\xe2\x80\x99s internal controls over generic communications. Specifically,\n\n                  A.       safeguards advisories (i.e., a security-related generic\n                           communication) are issued outside of NRC\xe2\x80\x99s existing regulatory\n                           framework,\n\n                  B.       controls for oversight of licensee actions on generic\n                           communications are inadequate, and\n\n                  C.       NRC\xe2\x80\x99s self-assessment\xe2\x80\x99s conclusion of Generic\n                           Communications Program effectiveness is not supported.\n\n                  Without adequate internal controls, NRC cannot ensure the proper use\n                  of, or response to, generic communications. As a result, the agency\n                  may not be able to pursue actions requested or required of licensees in\n                  its generic communications, which could compromise the public\xe2\x80\x99s\n                  confidence in NRC\xe2\x80\x99s regulatory program.\n\n\n       A. Safeguards Advisories are Issued Outside of NRC\xe2\x80\x99s Existing Regulatory\n       Framework\n\n                  NSIR issues security advisories3 that are developed and distributed\n                  outside of NRC\xe2\x80\x99s Generic Communications Program because NSIR\n                  managers believe the formal process takes too long. As a result, the\n                  advisories, particularly safeguards advisories, are not developed in\n                  accordance with the agency\xe2\x80\x99s structured review and approval\n                  practices. Consequently, safeguards advisories could be issued that\n                  do not meet regulatory requirements. The lack of a formal process\n                  could lead to an absence of necessary reviews and thereby\n                  compromise NRC\xe2\x80\x99s regulatory process. Furthermore, the lack of a\n                  clear, publicly documented process for requesting and disseminating\n                  information through safeguards advisories compromises NRC\'s\n                  openness principle for transparent regulation.\n\n\n3\n  The generic term \xe2\x80\x9csecurity advisories\xe2\x80\x9d denotes threat and safeguards advisories, as well as security letters sent\nto classes of licensees.\n\n                                                        5\n\x0c                                                                   Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\n\n                    Generic Communications Program Process Reviews\n\n                    All Generic Communications Program products (initiated by NRR,\n                    NMSS, or NSIR) go through the Program\xe2\x80\x99s disciplined process that\n                    includes the following controls associated with technical and regulatory\n                    reviews:\n\n                    \xc2\xbe Committee to Review Generic Requirements Review\n\n                    The Committee to Review Generic Requirements (CRGR) is an\n                    advisory committee to NRC\'s Executive Director for Operations and is\n                    responsible for:\n\n                             o helping NRC program offices to implement the Commission\'s\n                               backfit policy, and\n                             o ensuring that proposed generic backfits imposed on NRC-\n                               licensed power reactor and selected nuclear materials\n                               licensees are appropriately justified per NRC regulations.\n\n                                      \xc2\x83    Backfit Review\n\n                                      Backfitting is defined as the modification of systems,\n                                      structures, components, or design of a plant or a facility;\n                                      or the design approval or manufacturing license for a\n                                      facility; or the procedures or organization required to\n                                      design, construct, or operate a plant or a facility; any of\n                                      which may result from a new or amended provision in the\n                                      Commission rules or the imposition of a regulatory staff\n                                      position.\n\n                                      NRC\xe2\x80\x99s backfit rules for reactors and materials4 require a\n                                      systematic analysis be satisfied for all backfits the\n                                      agency seeks to impose,5 unless a documented\n                                      evaluation determines that the backfit is necessary for\n                                      either \xe2\x80\x9ccompliance\xe2\x80\x9d or \xe2\x80\x9cadequate protection\xe2\x80\x9d purposes.\n\n\n\n4\n    \xe2\x80\x9cBackfitting.\xe2\x80\x9d per 10 CFR sections 50.109, 70.76, and 76.76.\n5\n  Backfits may be imposed if the Commission\xe2\x80\x99s analysis determines that there is a substantial increase in the\noverall protection of the public health and safety or the common defense and security, and that the direct and\nindirect costs of implementation are justified in view of this increased protection [10 CFR 50.109 (a)(3)-(a)(4), 10\nCFR 70.76(a)(2)-(a)(4), and 10 CFR 76.76(a)(2)-(a)(4)].\n\n                                                          6\n\x0c                                                                Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n                                    Nonetheless, the regulation requires some form of\n                                    documentation when imposing a backfit under either of\n                                    these standards.6 There are no regulatory exceptions to\n                                    the backfit rule for security issues.\n\n                  \xc2\xbe Advisory Committee on Reactor Safeguards Review\n\n                  The Advisory Committee on Reactor Safeguards (ACRS) is statutorily\n                  mandated and has three primary purposes:\n\n                           o review and report on safety studies and reactor facility\n                             license and license renewal applications;\n                           o advise the Commission on the hazards of proposed and\n                             existing reactor facilities and the adequacy of proposed\n                             reactor safety standards; and\n                           o initiate reviews of specific generic matters or nuclear facility\n                             safety-related items.\n\n                  ACRS reviews generic communications, when applicable, before the\n                  generic communication is issued for public comment. The Committee\n                  can defer its response until after public comments are received and\n                  reviewed. Additionally, ACRS should receive copies of all generic\n                  letters and bulletins and selected regulatory issue summaries\n                  forwarded for CRGR review.\n\n                  \xc2\xbe Paperwork Reduction Act Compliance Review\n\n                  The Paperwork Reduction Act of 1980 (Act), as revised in 1995,\n                  governs Federal requests for information collections and stipulates that\n                  independent regulatory agencies (such as NRC) must justify to the\n                  Office of Management and Budget (OMB) their information collection\n                  requests.\n\n                  The Paperwork Reduction Act is intended to:\n\n                           o    minimize the burden for respondents,\n                           o    minimize information collection-related costs to the Federal\n                                government, and\n\n\n\n\n6\n  If immediately effective regulatory action is required, a provision at 10 CFR 50.109(a)(6), 10 CFR 70.76(a)(6),\nand 10 CFR 76.76(a)(6), allows for the documented evaluation to follow, rather than precede, the regulatory\naction.\n                                                        7\n\x0c                                                                Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n                           o    improve the responsibility and accountability of Federal\n                                agencies to Congress and to the public for implementing the\n                                information collection review process and information\n                                management.\n\n                  Corporations and businesses (such as NRC licensees) are covered by\n                  the Act\xe2\x80\x99s definition of persons or public entities that may be affected by\n                  an agency\xe2\x80\x99s \xe2\x80\x9ccollection of information\xe2\x80\x9d activities.\n\n                  The Act also requires that Federal agencies obtain and display a valid\n                  OMB clearance (control) number for all information requests submitted\n                  to 10 or more non-Federal entities or individuals.7 Each part of the\n                  Code of Federal Regulations applicable to NRC contains an OMB\n                  clearance number for NRC generic communication use.\n\n                  Evolution of Security Advisories in View of September 11, 2001\n\n                  Prior to the terrorist attacks of September 11, 2001, the agency\n                  dispatched only threat advisories. NRC threat advisories were issued\n                  infrequently and were informational only in nature, primarily\n                  communicating threat environment information to licensees.\n                  Immediately following the terrorist attacks of September 11, 2001, the\n                  agency quickly issued threat advisories to its licensee community.\n                  This was an effective and efficient use of agency resources and\n                  allowed the licensee community to be quickly apprised of changing\n                  threat information.\n\n                  In the weeks that followed, NRC continued to use threat advisories to\n                  communicate information to licensees. In October 2001, the agency\n                  issued a threat advisory which stated that additional details would be\n                  provided in an upcoming \xe2\x80\x9csafeguards\xe2\x80\x9d advisory. From that time\n                  forward, threat advisories continued to primarily fulfill their original\n                  function of communicating information regarding changing threat\n                  environments while the agency\xe2\x80\x99s uses of the newly-created safeguards\n                  advisories evolved over time.\n\n\n\n\n7\n Information collection requests addressed to all or a substantial majority of an industry is presumed to involve\n10 or more persons.\n\n                                                        8\n\x0c                                 Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n      Change in Uses of Safeguards Advisories\n\nAccording to NSIR documents, safeguards advisories are defined as a\ncommunication of information from the NRC to licensees, where the\nnature of the information provided involves:\n\n\xc2\xbe an identified vulnerability or potential vulnerability;\n\xc2\xbe protection of the national infrastructure;\n\xc2\xbe or any other information that requires immediate or prompt attention\n  that would not be timely if other generic communication procedures\n  were utilized.\n\nIn the months following September 11, 2001, the pattern of use of\nthreat advisories continued as described above, while the issuance\nrate was understandably less than that in the immediate aftermath of\nthe attacks. Similarly, safeguards advisories were also seen as a\nquick method to work in cooperation with the licensee community in\nresponse to the terrorist attacks of September 11, 2001. However, in\ncontrast to threat advisories, safeguards advisories began to be used\nmore frequently to achieve a number of purposes other than sharing\ninformation. For example, some safeguards advisories communicated\ninformation, requested information, requested action, and provided\nregulatory interpretations.\n\n      NSIR\xe2\x80\x99s Organizational Development\n\nIn April 2002, NRC consolidated staff members experienced in\nsafeguards, security, and incident response functions into the new\nNSIR office, in order to improve timeliness and consistency of\ncommunications among NRC\xe2\x80\x99s employees and external stakeholders.\nTo meet the urgent security needs of the agency after the terrorist\nevents of September 11, 2001, this newly formed program office\nbecame operationally functional in advance of developing its\norganizational framework, policies, and procedures. Consequently,\nNSIR-issued safeguards advisories were developed and distributed\noutside of the agency\xe2\x80\x99s established regulatory framework.\n\n\n\n\n                           9\n\x0c                                                              Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n                  NSIR managers acknowledge that safeguards advisories are a form of\n                  generic communication being developed and issued beyond the\n                  established regulatory framework. To date, NSIR has not finalized any\n                  internal office policies or procedures to address the selection,\n                  development, or issuance of safeguards advisories.8 Furthermore, the\n                  agency provides guidance and procedures intended to ensure that\n                  generic communications are justified and comply with regulatory\n                  requirements. However, safeguards advisories are not discussed in\n                  any of the agency\xe2\x80\x99s existing procedures or directives.\n\n                  \xc2\xbe NSIR Perceives the Generic Communications Program as\n                    Untimely\n\n                  NSIR justifies issuing safeguards advisories outside of any established\n                  processes on two grounds: first, that security issues require quick\n                  notification to the licensee community; and second, the perception that\n                  the agency\xe2\x80\x99s Generic Communications Program is not efficient enough\n                  to meet the timeliness needs of safeguards advisories.\n\n                  o Examples of Generic Communications Processing Times\n\n                      Shortly after September 11, 2001, agency managers from offices\n                      responsible for safeguards and security issues created the new\n                      security-related generic communications vehicle called \xe2\x80\x9csafeguards\n                      advisory\xe2\x80\x9d because they felt the bureaucratic nature of the Generic\n                      Communications Program would impede the timeliness of issuing\n                      important security communications. In fact, the agency defines\n                      safeguards advisories as a type of communication to use for\n                      information that \xe2\x80\x9c[r]equires immediate or prompt attention that\n                      would not be timely if other generic communication procedures\n                      were utilized.\xe2\x80\x9d Specifically, NRC managers understood that it\n                      generally takes at least several months to issue a generic\n                      communication through the Generic Communications Program.\n                      Although not typical, Table 2 shows that generic communications\n                      can be issued in as little as one day, when in response to a\n                      significant event.\n\n\n\n\n8\n  During this audit, NSIR began drafting procedures to address safeguards advisories. However, NSIR said due\nto other priorities and the additional consideration of whether advisories should be recognized and incorporated\nin NRC\xe2\x80\x99s formal Generic Communications Program, the formal procedures have not been finalized. NSIR stated\nthat it has an informal process for management review and approval of safeguards advisories.\n\n                                                      10\n\x0c                                                                Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n                                                    Table 2\n\n          Issue Times for Sample of Generic Communications Program Products\n\n          Example                 Description                          Date               Elapsed Time from\n            No.                                                                               Discovery9\n                           Discovery of cavity in                March 7, 2002                    --\n               1         Davis-Besse Vessel Head\n                         Information Notice 02-11               March 12, 2002                    5 days\n                             Bulletin 2002-01                   March 18, 2002                   11 days\n\n                         Death of oncology patient            November 21, 1992                      --\n                         attributed at least in part to\n               2              radiation overdose\n                         Second source separation             December 7, 1992                       --\n                             reported to the NRC\n                           Bulletin 92-03 Issued              December 8, 1992               1 day/17 days\n\n                           Discovery of inadequate             January 27, 2005                      --\n               3         fire barrier in seismic gaps\n                          Information Notice 05-04            February 14, 2005                  18 days\n\n                   The above examples show that generic communications dealing with\n                   significant issues, such as the Davis-Besse vessel head problems, can\n                   be issued in a timely manner. In fact, as reflected in bold in Table 2,\n                   the agency developed and issued two bulletins (i.e., the Generic\n                   Communications Program product designed to share urgent risk-\n                   significant issues) in about two weeks \xe2\x8e\xaf a time frame considered by\n                   an NSIR senior executive as a \xe2\x80\x9creasonable way to proceed.\xe2\x80\x9d\n\n                   In addition, NSIR at times chose the Generic Communications\n                   Program (see Table 3) to convey security matters of similar substance\n                   to those found in safeguards advisories. Specifically, NSIR issued 18\n                   regulatory issue summaries (a recognized Generic Communications\n                   Program product), during the same time frame where NSIR issued 6510\n                   threat and safeguards advisories (unrecognized generic\n\n\n\n\n9\n The time used is very conservative because it is based on discovery or notification of the issue until issuance\ndate of the generic communication. This includes preparation time, review time, process reviews and\nconcurrence.\n10\n   NSIR provided information regarding the issuance of 65 security advisories during the reference period.\nHowever, this number may be conservative because NSIR had not maintained a comprehensive log of the\nissued advisories.\n                                                        11\n\x0c                                                    Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n        communications products). Yet, in these cases, NSIR has no\n        documented rationale for selecting a recognized generic\n        communications product versus using security advisories.\n\n\n                                         Table 3\n\n   NRC/NSIR Security-Related Generic Communications Issued\n         September 11, 2001 through January 26, 2005\n\n                Type                                                Number\n Security Advisories*                                                 65\n Regulatory Issue Summaries**                                           18\n Orders***                                                              10\n Total                                                                  93\n\n   *Threat and safeguards advisories - not recognized by the Generic Communications Program\n **Official Generic Communications Program product\n***Orders meet the generic communication definition when issued to one or more classes of licensees\n\n\n        \xc2\xbe Lack of Technical and Regulatory Reviews Compromises\n          NRC\xe2\x80\x99s Regulatory Processes\n\n        The agency\xe2\x80\x99s use of advisories significantly increased after September\n        11, 2001. Agency managers and staff, as well as industry\n        representatives have more and more often questioned the regulatory\n        authority for issuing advisories. Of particular concern are the\n        safeguards advisories primarily because, as stated by a senior Nuclear\n        Energy Institute representative, NRC is using many safeguards\n        advisories \xe2\x80\x9cto establish new requirements without going through the\n        required agency review process.\xe2\x80\x9d\n\n        By developing and issuing generic communications outside of the\n        established Generic Communications Program, NRC compromises its\n        regulatory processes. For example, OIG determined that safeguards\n        advisories have no documented regulatory foundation for\n        communicating to licensees anything other than information. However,\n        as shown in Figure 1 below, the majority of advisories served purposes\n        beyond simply conveying information.\n\n\n\n\n                                            12\n\x0c                                            Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\n\n                             Figure 1*\n\n     Purposes Served by Advisories Issued from\n    September 11, 2001 through January 26, 2005\n\n\n\n\n                                            Request\n                 Request Action,        Information, 25%\n                      40%\n\n\n                                                          Contains Reg.\n                                                         Guidance, 12%\n\n\n\n\n                  Apparent\n                 Requirements,\n                     14%            Provide Info Only,\n                                          42%\n\n\n\n\n   *OIG notes that the percentages in the above chart exceed 100% because several\n   advisories served multiple purposes other than providing information only.\n\n\n\nOIG\xe2\x80\x99s Technical Review of NRC/NSIR-Issued Generic\nCommunications\n\nAs discussed in Table 3, NRC/NSIR issued 93 security-related generic\ncommunications from September 11, 2001 to January 26, 2005. OIG\ndetermined that 65 of the communiqu\xc3\xa9s were security-related\nadvisories, of which 38 percent (or 25 advisories) provided information\nonly. However, the remaining 62 percent (or 40 advisories) were used\nfor other purposes, such as requesting or requiring information or\nlicensee action, containing regulatory guidance, and conveying\napparent requirements. Figure 1 represents the purposes served by\nthe 65 security-related advisories.\n\n\n\n\n                                   13\n\x0c                                 Audit of NRC\xe2\x80\x99s Generic Communications Program\n\nThe agency is obligated to follow appropriate regulatory requirements\nfor its generic communications. However, because advisories are\nissued outside of the Generic Communications Program, the required\nregulatory reviews were not performed. As a result, though\nappropriate in some cases, safeguards advisories did not receive:\n\n   \xc2\xbe   CRGR backfit review although this committee has a defined role\n       in reviewing generic communications to make sure NRC stays\n       within its backfit authorities. Without CRGR review, NRC could\n       impose an improper backfit on its licensees.\n\n   \xc2\xbe ACRS technical review although this committee has a defined\n     role in reviewing any generic communication that conveys\n     requirements on licensees. Without ACRS review, NRC could\n     impose unjustified requirements on its licensees.\n\n   \xc2\xbe Paperwork Reduction Act review to ensure proper citing of\n     either the applicable OMB control (clearance) number for\n     information requests, or an exemption clause, where\n     appropriate.\n\n          o The Act states that the NRC \xe2\x80\x9cmay not conduct or\n            sponsor, and a person is not required to respond to, a\n            request for information or an information collection unless\n            the requesting document displays a currently valid OMB\n            control number.\xe2\x80\x9d\n\n       None of the safeguards advisories issued from September 11,\n       2001 until mid-May 2005 displayed an OMB control number nor\n       contained a statement that the provisions of the Paperwork\n       Reduction Act do not apply (i.e., NRC review determined that\n       OMB clearance was not required).\n\n       Because NRC did not satisfy Paperwork Reduction Act\n       requirements regarding control numbers, licensees have a basis\n       to ignore requests or suggestions contained in NRC safeguards\n       advisories. This brings into question the agency\xe2\x80\x99s ability to\n       pursue actions requested or required of licensees as contained\n       in any of these advisories.\n\n\n\n\n                           14\n\x0c                                                                  Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\n\n                     \xc2\xbe NRC\xe2\x80\x99s Openness Principle Is Compromised\n\n                         According to NRC\xe2\x80\x99s Strategic Plan, the agency has a goal to\n                         \xe2\x80\x9censure openness in our regulatory process.\xe2\x80\x9d\n\n                                  o The Openness goal further states that the NRC \xe2\x80\x9cviews\n                                    nuclear regulation as the public\xe2\x80\x99s business and, as such,\n                                    it should be transacted openly and candidly in order to\n                                    maintain the public\xe2\x80\x99s confidence. The goal to ensure\n                                    openness explicitly recognizes that the public must be\n                                    informed about, and have a reasonable opportunity to\n                                    participate meaningfully in, the NRC\xe2\x80\x99s regulatory\n                                    process.\xe2\x80\x9d\n\n                                  o The Strategic Outcome that supports the goal of\n                                    openness is, \xe2\x80\x9cStakeholders are informed and involved in\n                                    NRC processes as appropriate.\xe2\x80\x9d\n\n                     However, there is no clear, publicly documented process for\n                     disseminating and requesting information through safeguards\n                     advisories. In addition, safeguards advisories do not have a\n                     consistent, formally-defined concurrence process. This lack of an\n                     identified, transparent agency process compromises NRC\'s principle of\n                     open regulation.\n\n                     While NSIR senior managers acknowledge that there should be a\n                     clear, formal process for the development and issuance of safeguards\n                     advisories, they expressed a need for balance between protecting\n                     public openness (an agency goal) and common defense and security\n                     (the agency\xe2\x80\x99s mission). Currently there are differing opinions among\n                     NRC senior managers regarding the public\xe2\x80\x99s right to know about the\n                     information contained in the advisories. As of the date of this report,\n                     the public may still not know of the existence of specific safeguards\n                     advisories because they are not made publicly available even though\n                     many do not contain information actually designated by the agency as\n                     \xe2\x80\x9cSafeguards Information.\xe2\x80\x9d11\n\n\n\n\n11\n     The title \xe2\x80\x9csafeguards advisories\xe2\x80\x9d is misleading in that many do not contain Safeguards-classified information.\n\n                                                          15\n\x0c                                  Audit of NRC\xe2\x80\x99s Generic Communications Program\n\nSummary\n\nThrough its Generic Communications Program, NRC has an\nestablished framework for developing and issuing certain generic\ncommunications. However, NRC management has not followed\nexisting policies and procedures by developing and issuing safeguards\nadvisories outside of the agency\xe2\x80\x99s regulatory framework. Without\napplication of adequate controls to ensure that agency\ncommunications are promulgated in accordance with applicable\nregulatory requirements, the agency may --\n\n\xc2\xbe     Be unable to pursue actions requested or required of licensees\n      in its generic communications,\n\n\xc2\xbe     Compromise its openness policy, thereby affecting the public\xe2\x80\x99s\n      confidence in NRC\xe2\x80\x99s regulatory processes and decision-making,\n      and\n\n\xc2\xbe     Lack assurance that its generic communications are effective.\n\nTo date, NSIR has not finalized any policies or procedures for\ndeveloping and issuing safeguards advisories.\n\nRECOMMENDATIONS\n\nOIG recommends that the Executive Director for Operations:\n\n1. Include safeguards advisories, as well as any other agency\n   communication tool that meets the definition of a generic\n   communication, in the formal Generic Communications Program to\n   ensure compliance with regulatory requirements.\n\n2. Pursue immediately the applicability of including appropriate Office\n   of Management and Budget control numbers in safeguards\n   advisories.\n\n\n\n\n                            16\n\x0c                                          Audit of NRC\xe2\x80\x99s Generic Communications Program\n\nB. Controls for Oversight of Licensee Actions on Generic Communications\nare Inadequate\n\n        NRC\xe2\x80\x99s oversight of licensee actions on generic communications is\n        inadequate because the program lacks the controls for an agency-wide\n        systematic follow-up methodology. Instead, the follow-up process is\n        left to the discretion of the project managers responsible for each site.\n        Without a systematic process to ensure that a generic communication\n        is consistently monitored through its lifecycle (from initiation to\n        closure), the agency could lose track of requests to licensees,\n        responses from licensees, and important operating experience data\n        that might identify potential safety and regulatory issues.\n\n                Internal Controls for Generic Communications are\n                Lacking\n\n        The Generic Communications Program lacks standards for following\n        the full lifecycle of an agency generic communication because the\n        Program\xe2\x80\x99s responsibilities end at issuance.\n\n        OMB Circular A-123, Management Accountability and Control, dictates\n        that agency internal controls include \xe2\x80\x9cthe plan of organization, methods\n        and procedures adopted by management to ensure its goals are met.\xe2\x80\x9d\n        In addition, other Federal internal control standards reference a need\n        for agencies to maintain clearly documented, readily available\n        information on the full lifecycle of all agency communications.\n        Therefore, NRC should have procedures in place to facilitate\n        systematic tracking of generic communications from initiation to\n        closure.\n\n        Generic Communications Program Tracking Ends at Issuance\n\n        The Generic Communications Program\xe2\x80\x99s controls are not adequate\n        because the Program only tracks part of the lifecycle of a generic\n        communication. Specifically, the Program\xe2\x80\x99s procedures address\n        following a generic communication from the proposal stage, through\n        development of the chosen product, but ends at document issuance.\n        As a result, the Program does not track NRC or licensee actions\n        related to the matter once the document is issued. Such subsequent\n        actions include coordinating licensee responses, agency review of\n        those responses, and any resulting inspections.\n\n\n\n                                    17\n\x0c                                  Audit of NRC\xe2\x80\x99s Generic Communications Program\n\nUpon issuance of a generic communication, individual NRC project\nmanagers or organizational groups assume tracking responsibilities.\nAt this point, the process relies on the diligence of individuals rather\nthan a consistent, systematic tracking process. If agency management\ndesires the status of licensees\xe2\x80\x99 actions on a particular generic\ncommunication, the data is not available through the Generic\nCommunications Program. Instead, the data must be compiled from a\nvariety of sources, such as the project managers responsible for each\nsite.\n\nThe inherent risk in relying on individuals to track NRC or licensees\nactions subsequent to issuance is that individuals may choose differing\ntracking strategies (which may or may not be effective) or may fail to\ntrack at all. NRC project managers have several information systems\nat their disposal for tracking data on generic communications.\nAccording to NRR staff, these systems include the Operating\nExperience Section Task Tracking Database; the Multi-Plant Actions\nsystem; the Time, Resource, Information, and Management system;\nand the Reactor Program System. Each of these identified systems is\na standalone system and contains different, as well as duplicative,\ngeneric communications information.\n\n      Internal Guidance on Processing Generic Communications\n\nNRR Office Instruction LIC-503, Generic Communications Affecting\nNuclear Reactor Licensees, and NRC Inspection Manual Chapter\n0730, Generic Communications Regarding Materials and Fuel Cycle\nIssues, both provide guidance and procedures for the preparation,\ndistribution, follow-up, and closeout of generic communications.\n\nHowever, the internal guidance provides no agency-wide policies or\nprocedures regarding the systematic tracking of generic\ncommunication follow-on activities performed by NRC or its licensees.\nIn other words, the guidance discusses \xe2\x80\x98what\xe2\x80\x99 needs to occur for\nclosing out a generic communication, but not \xe2\x80\x98how\xe2\x80\x99 or \xe2\x80\x98where\xe2\x80\x99 to record\nthe information. For example, the guidance discusses how to evaluate\nresponses, but does not address how to track responses.\n\nPotential Loss of Safety/Regulatory Data\n\nNRC issues generic communications to provide guidance, common\napproaches to resolve issues, and to share industry\xe2\x80\x99s operating\nexperiences. Therefore, it is vital that agency management has\n\n                            18\n\x0c                                  Audit of NRC\xe2\x80\x99s Generic Communications Program\n\nassurance that licensees take actions as expected. As previously\nstated, basic tenets of management controls include methods and\nprocedures adopted by management to ensure its goals are met.\n\nWhen the agency must rely on the diligence of individuals to track\nactions related to generic communications, it cannot have the\nprogrammatic assurance that its goals are met and risks the loss of\nsignificant operational data needed for regulatory and/or reactor safety\ndecisions.\n\nRECOMMENDATION\n\nOIG recommends that the Executive Director for Operations:\n\n3. Implement controls to ensure a systematic, consistent tracking\n   methodology from initiation to closure for each agency-issued\n   generic communication.\n\n\n\n\n                            19\n\x0c                                                         Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n    C. NRC\xe2\x80\x99s Self-Assessment\xe2\x80\x99s Conclusion of Generic Communications\n    Program Effectiveness is Not Supported\n\n                Based on NRC\xe2\x80\x99s Commission direction, NRR conducted an\n                effectiveness study of Generic Communications Program products.\n                Although that study concluded that generic communications were\n                effective, the review lacked an adequate sample or scientific basis for\n                the conclusion. The limited sample chosen by NRR resulted from an\n                inability to reach consensus on a sample selection and because of a\n                preconception that the Generic Communications Program was\n                effective. As a result of such a limited review, the conclusion that the\n                Generic Communications Program products are effective is not\n                supported.\n\n                Background\n\n                In March 2004, based on findings by the Davis-Besse Lessons\n                Learned Task Force (Task Force),12 the Commission directed staff to\n                evaluate whether generic communications accomplish their intent to\n                inform licensees and collect information on licensee actions in\n                response to serious incidents. The Task Force recommended that\n                staff assess the effectiveness of clear communication to licensees and\n                licensee follow-up activities. The agency\xe2\x80\x99s definition of \xe2\x80\x9cEffectiveness\xe2\x80\x9d\n                was defined as the achievement of a desired outcome from a program,\n                process, or activity in an efficient, realistic, and timely manner.\n\n                Prior to the Task Force report, NRR conducted an effort to identify the\n                five highest priority NRC-issued generic communications by requesting\n                technical assistance from staff members in NRR, the Office of Nuclear\n                Regulatory Research, and NRC\xe2\x80\x99s four regions. The highest priority\n                generic communications would then be reviewed for verification of\n                continued licensee support and commitment. Agency staff was asked\n                to use their expertise to prioritize from a list of 104 pre-screened\n                Generic Communications Program products, consisting of 36 bulletins\n                and 68 generic letters.\n\n\n\n\n12\n   Davis-Besse Reactor Vessel Head Degradation Lessons-Learned Task Force Report, dated September 30,\n2002.\n\n                                                  20\n\x0c                                  Audit of NRC\xe2\x80\x99s Generic Communications Program\n\nAgency\xe2\x80\x99s Self-Assessment Methodology Was Not Statistically Sound\n\nAn NRC statistician advised OIG that the agency could not adequately\nassess the effectiveness of Generic Communications Program\nproducts based on a review of the small, biased sample size proposed\nby NRR (i.e., 6-10 bulletins/generic letters) or from the actual sample\n(i.e., two generic communications). Nonetheless, NRR\xe2\x80\x99s self-\nassessment concluded that licensees had adequately responded to\ngeneric letters and bulletins. The results communicated to the\nCommission further stated that generic communications accomplish\ntheir intent to inform licensees and collect information on licensee\nactions in response to significant issues. The self-assessment staff\nreported that the Generic Communications Program products are\neffective.\n\n\xc2\xbe NRR\'s proposed methodology for the effectiveness self-\n  assessment was to sample 6-10 bulletins and generic letters from\n  the aforementioned prioritized list. The review would include\n  inspecting for follow-up activities at 8-10 reactor sites. Although the\n  initial methodology was not sound, NRR management and the\n  Commission approved this proposal.\n\nAccording to the NRC statistician, in order to effectively assess the\nGeneric Communications Program, a significantly larger sampling of\nproducts would have been needed than that proposed by the staff.\nThe statistician did not provide a specific sample size because such a\ndecision requires greater insights into how statistical parameters affect\nthe program (e.g., classifying results by bulletin or generic letter).\n\nMoreover, NRR did not conduct the proposed review previously\ndescribed. In actuality, the review consisted of only two generic\ncommunications; one generic letter and one regulatory issue summary\n\xe2\x80\x93 a category not even identified in the initial screening. Staff reported\nthat verification of the two generic communications was conducted at\n12 plants; three in each of the four regions which OIG notes exceeds\nthe number originally proposed. However, this review approach, like\nthe proposed one, was not based on a sound methodology.\n\n\n\n\n                            21\n\x0c                                    Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\n\n\n\xc2\xbe      Preconceptions Influenced the Prioritization Exercise\n       The agency did not conduct or provide a documented, scientific\n       basis for either the proposed or completed sample because staff\n       could not reach consensus on the priority of the \xe2\x80\x9cmost\n       significant\xe2\x80\x9d generic communications. As a result, the staff\n       decided to reduce the sample for review from the proposed 6-10\n       high-level generic communications, to just two, including one\n       lower-level priority communiqu\xc3\xa9.\n\n\nAccording to those directly involved in sample selection, staff biases\nclouded the sample prioritization decisions. In addition, the majority of\nthose interviewed for this audit, including those directly involved in the\nsample selection, are generally satisfied that the agency\xe2\x80\x99s Generic\nCommunications Program is effective. One senior agency executive\nstated that his confidence in the effectiveness of the Generic\nCommunications Program stems from many years of experience using\nNRC\xe2\x80\x99s generic communications process. Such a preconception\ncontributed to the agency\xe2\x80\x99s acceptance of the projection of program\neffectiveness, regardless of sample size.\n\n\nIn discussions on this finding, NRC staff said this effort was never\nintended to be a statistical evaluation of the effectiveness of the\nGeneric Communications Program but rather to be a case study\ninvolving selected communications. Though not intended, the\nagency\xe2\x80\x99s reported results implied that the whole Generic\nCommunications Program, and not just the selected communiqu\xc3\xa9s, is\neffective. However, as a result of the inadequate sample size and\nselection process, there is no scientific/statistical basis to conclude, or\nimply, that the program and its associated products are effective.\n\nRECOMMENDATION\n\nOIG recommends that the Executive Director for Operations:\n\n4. Direct the development of a methodology that will allow the staff to\n   gauge the effectiveness of agency-issued generic communications.\n\n\n\n\n                             22\n\x0c                                            Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\nIV.   CONSOLIDATED LIST OF RECOMMENDATIONS\n\n          OIG recommends that the Executive Director for Operations:\n\n          1. Include safeguards advisories, as well as any other agency\n             communication tool that meets the definition of a generic\n             communication, in the formal Generic Communications Program to\n             ensure compliance with regulatory requirements.\n\n          2. Pursue immediately the applicability of including appropriate Office\n             of Management and Budget control numbers in safeguards\n             advisories.\n\n          3. Implement controls to ensure a systematic, consistent tracking\n             methodology from initiation to closure for each agency-issued\n             generic communication.\n\n          4. Direct the development of a methodology that will allow the staff to\n             gauge the effectiveness of agency-issued generic communications.\n\n\n\n\n                                      23\n\x0c                                          Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\nV.   AGENCY COMMENTS\n\n        On September 6, 2005, OIG discussed its draft report with agency\n        senior executives. Subsequent to that meeting, NRC provided informal\n        comments on the draft report and OIG met with NRR management to\n        address specific issues and concerns needing further clarification\n        and/or explanation. On September 27, 2005, the Deputy Executive\n        Director for Reactor and Preparedness Programs, Office of the\n        Executive Director for Operations, provided a formal response to this\n        report in which the staff generally concurs with the report\xe2\x80\x99s findings and\n        recommendations. The agency\xe2\x80\x99s transmittal letter and specific\n        comments on this report are included as Appendix B.\n\n        This final report incorporates revisions made, where appropriate, as a\n        result of the subsequent meeting and the agency\xe2\x80\x99s informal and formal\n        written comments. Appendix C contains OIG\xe2\x80\x99s specific responses to\n        the agency\xe2\x80\x99s comments.\n\n\n\n\n                                    24\n\x0c                                         Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n                                                                          Appendix A\nSCOPE AND METHODOLOGY\n\n       NRC\xe2\x80\x99s Generic Communications Program products are the primary\n       means for communicating with agency licensees. Therefore, all\n       elements of the Program must be effective and efficient in order for\n       generic communications to accomplish their intent.\n\n       The purpose of this audit was to assess the effectiveness of the\n       Generic Communications Program, specifically:\n\n       \xc2\xbe whether NRC generic communications are issued in accordance\n         with the Generic Communications Program and other regulatory\n         requirements, and\n\n       \xc2\xbe how NRC tracks licensee actions on generic communications.\n\n       To address the audit objectives, OIG reviewed relevant management\n       controls, related documentation, and Federal statutes, including\n       reviews of:\n\n       \xc2\xbe   Management Directives 3.54, 3.57, and 3.53\n       \xc2\xbe   NRC Inspection Manual Chapter 0730\n       \xc2\xbe   NRR Office Instructions LIC-503 and LIC-401\n       \xc2\xbe   NSIR\xe2\x80\x99s Office Instruction COM-201, Security Advisories, and\n           Emergent Work Process\n       \xc2\xbe   NRC\xe2\x80\x99s Backfit Rule\n       \xc2\xbe   OMB\xe2\x80\x99s Paperwork Reduction Act\n       \xc2\xbe   GAO\xe2\x80\x99s Internal Control Standards\n       \xc2\xbe   CRGR\xe2\x80\x99s Charter\n       \xc2\xbe   NRC\xe2\x80\x99s Davis-Besse Lessons Learned Task Force Report\n       \xc2\xbe   NRC\xe2\x80\x99s Effectiveness Review of Lessons Learned Task Forces\n       \xc2\xbe   Code of Federal Regulations, Title 10, Parts 50.54(f), 50.71,\n           50.109, 70.76, and 76.76\n       \xc2\xbe   NRR, NMSS, and NSIR Operating Plans and Budget Documents\n\n       Auditors conducted interviews and discussions with agency and\n       industry individuals, including:\n\n       \xc2\xbe Headquarters\xe2\x80\x99 senior managers from the Offices of:\n       \xc2\xbe\n           o the Executive Director for Operations, the General Counsel,\n              NRR, NMSS, NSIR, Information Services, and Nuclear\n              Regulatory Research\n                                   25\n\x0c                                 Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\n\n\xc2\xbe   Representatives from CRGR\n\xc2\xbe   Representatives from ACRS\n\xc2\xbe   Representatives from the Nuclear Energy Institute\n\xc2\xbe   NRC\xe2\x80\x99s statistician\n\nOIG conducted this audit between September 2004 and June 2005 in\naccordance with generally accepted Government auditing standards\nand included a review of management controls related to the\nobjectives of this audit. The major contributors to this report were\nAnthony Lipuma, Team Leader; Catherine Colleli, Audit Manager;\nYvette Russell, Senior Auditor; and Michael Cash, Technical Advisor.\n\n\n\n\n                           26\n\x0c                              Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n                                                               Appendix B\nFORMAL AGENCY COMMENTS\n\n\n\n\n                         27\n\x0c     Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\n\n\n28\n\x0c     Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\n\n\n29\n\x0c     Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\n\n\n30\n\x0c     Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\n\n\n31\n\x0c                     Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              32\n\x0c                                               Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n                                                                                Appendix C\n\nDETAILED OIG ANALYSIS OF AGENCY COMMENTS\n\n             On September 6, 2005, OIG discussed its draft report with agency\n             senior executives. Subsequent to that meeting, NRC provided informal\n             comments on the draft report and OIG met with NRR management to\n             address specific issues and concerns needing further clarification\n             and/or explanation. On September 27, 2005, the Deputy Executive\n             Director for Reactor and Preparedness Programs, Office of the\n             Executive Director for Operations, transmitted a memorandum with\n             formal comments on this report (see Appendix B).\n\n\n             Below is OIG\xe2\x80\x99s analysis of the agency\xe2\x80\x99s formal comments.\n\n             NRC Comment 1\n\n             1.     At the end of the "Findings" section starting on the bottom of\n                    page 6, and also text on page 25, the draft report states that as\n                    a result of failure to apply internal control mechanisms, "the\n                    agency may not be able to enforce actions requested or\n                    required of licensees." The staff believes that the report\n                    continues with an erroneous premise in its findings that a\n                    generic communication can "require" actions that may be\n                    enforced. Generic communications do not impose enforceable\n                    requirements to perform actions.\n\nOIG Response\nOIG recognizes that generic communications (other than NRC Orders) are not a\nrecognized vehicle for communicating regulatory requirements. However, some\nsafeguards advisories contain ambiguous language that could reasonably be\ninterpreted as a mandate for licensee action or providing information. As such,\nthe point remains that the failure to follow appropriate regulatory processes\nbrings into question the agency\xe2\x80\x99s ability to pursue any actions based on these\nadvisories. Nonetheless, OIG recognizes that use of the word \xe2\x80\x9cenforce\xe2\x80\x9d in close\nconjunction with \xe2\x80\x9crequire actions\xe2\x80\x9d may be misperceived and warrants a change.\n\nThe word \xe2\x80\x9cenforce\xe2\x80\x9d has been changed in the report to \xe2\x80\x9cpursue.\xe2\x80\x9d\n\n\n\n\n                                         33\n\x0c                                               Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\n\n\n             NRC Comment 2\n\n             2. On page 7 of the draft report, the following changes should be\n                considered:\n\n                  "A. Safeguards Advisories Are Issued Outside of NRC\xe2\x80\x99s Existing\n                  Regulatory Framework\n\n                  NSIR issues security advisories that are developed and distributed\n                  outside of NRC\xe2\x80\x99s Generic Communications Program because NSIR\n                  managers believe the formal process takes too long. As a result,\n                  the advisories, particularly safeguards advisories, are not\n                  developed in accordance with the agency\xe2\x80\x99s structured review and\n                  approval practices. Consequently, safeguards advisories could be\n                  issued that do not meet regulatory requirements. The lack of a\n                  formal process could lead to an absence of necessary reviews and\n                  thereby compromises NRC\xe2\x80\x99s regulatory process. Furthermore, the\n                  lack of a clear, publicly documented process for requesting and\n                  disseminating information through safeguards advisories\n                  compromises NRC\'s openness principle for transparent regulation."\n\n\nOIG Response\nThe subtle word change does not alter the sentence\xe2\x80\x99s main point that the\nagency\xe2\x80\x99s regulatory process is comprised when appropriate reviews are omitted.\n\nOIG revised the report to reflect the requested change in language.\n\n             NRC Comment 3\n\n             3.    On page 16 of the draft report, the following changes should be\n                   considered:\n\n                   "Although not typical, Table 2 shows that generic communications\n                   can be issued in as little as one day, when necessary. ,when in\n                   response to a significant event."\n\n\n\n\n                                         34\n\x0c                                               Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\n\nOIG Response\nThe requested word change is subtle and does not alter the sentence\xe2\x80\x99s main\npoint.\n\nOIG revised the report to reflect the requested change in language.\n\n             NRC Comment 4\n\n             4.    On page 17 of the draft report, the following changes should b\n                   considered:\n\n                    "In addition, contrary to perceived inefficiencies with the\n                    process, NSIR at times chose the Generic Communications\n                    Program (see Table 3) to convey security matters of similar\n                    substance to those found in safeguards advisories. Specifically,\n                    NSIR issued 18 regulatory issue summaries (a recognized\n                    Generic Communications Program product), during the same\n                    period when NSIR issued 65 threat and safeguards advisories\n                    (unrecognized generic communications products). Yet, in these\n                    cases, NSIR has no documented rationale for selecting a\n                    recognized generic communications product versus using\n                    security advisories."\n\n                    Additionally, the staff believes that improvements have been\n                    realized since the "ad hoc days" just after 9/11. Recent SAs\n                    have been focused on the following criteria, which is being\n                    formalized in an NSIR procedure. The following are considered\n                    to be appropriate content of security advisories:\n\n                              \xe2\x80\xa2   Notification that the Homeland Security Threat\n                                  Advisory System threat level has been elevated\n                              \xe2\x80\xa2   Notification of National Special Security Events\n                              \xe2\x80\xa2   Recommended compensatory measures and\n                                  suggested actions for rapidly emerging safeguard\n                                  and security-related issues\n                              \xe2\x80\xa2   Requests for security or safeguards information\n                                  from licensees related to an imminent vulnerability\n                                  or condition\n                              \xe2\x80\xa2   Guidance on implementing existing security and/or\n                                  safeguards regulatory requirements related to an\n                                  imminent vulnerability or condition\n\n                                         35\n\x0c                                               Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\nOIG Response\nOIG recognizes that NSIR has been working towards formalizing the use of\nsafeguards advisories, such as employing specific criteria to remove the ad hoc\nnature. Deletion of the identified phrase does not change the point of this\nparagraph which says that NSIR, at times, used recognized generic\ncommunications products to transmit similar type information as found in the\nunrecognized safeguards advisories.\n\nOIG deleted the phrase as requested.\n\n             NRC Comment 5\n\n             5.     On page 19, the draft report states:\n\n                    "Lack of Technical and Regulatory Reviews Compromises\n                    NRC\xe2\x80\x99s Regulatory Processes\n\n                    The agency\xe2\x80\x99s use of advisories significantly increased after\n                    September 11, 2001. Agency managers and staff, as well as\n                    industry representatives have more and more often questioned\n                    the regulatory authority for issuing advisories. Of particular\n                    concern are the safeguards advisories primarily because, as\n                    stated by a senior Nuclear Energy Institute representative, NRC\n                    is using many safeguards advisories \xe2\x80\x98to establish new\n                    requirements without going through the required agency review\n                    process.\xe2\x80\x99"\n\n                    Although not formalized, Safeguards Advisories (at least since\n                    2003) have been reviewed by the Office of General Counsel to\n                    ensure that new requirements are not set and NSIR is unaware\n                    of "new requirements" having been issued, via SAs.\n\n\nOIG Response\nThe agency states that safeguards advisories have been reviewed by the Office\nof the General Counsel (OGC), at least since 2003, to ensure new requirements\nare not set. However, as stated in the report, OIG conducted a technical review\nof the 65 security advisories identified by NSIR and found that 14% were used for\ncommunicating apparent requirements, including a safeguards advisory dated\nJune 2004.\n\nThroughout this audit, NSIR could not identify a comprehensive list of safeguards\n\n                                         36\n\x0c                                                Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\nadvisories issued for the period under consideration nor could NSIR staff provide\nassurance that all safeguards advisories received an OGC review. In fact,\naccording to NSIR and OGC staff, because the agency was usually anxious to\nissue the safeguards advisories, they did not always receive an OGC review.\n\nNo change made to the report.\n\n\n             NRC Comment 6\n\n             6. On page 20 of the draft report, Figure 1 groups all advisories\n                (Safeguards and Threat Advisories) issued since 9/11 together.\n                This grouping should be reconsidered and the report should focus\n                on more recently developed SAs. This would focus the information\n                on current practices and would aid the staff\xe2\x80\x99s understanding of\n                current program needs.\n\n\nOIG Response\nOIG acknowledges that the agency has shown increased interest in the\ndevelopment and issuance of safeguards advisories since the start of this audit.\nHowever, as stated in the response to agency comment 5, NSIR was not able to\nprovide OIG with a complete listing or copies of all issued safeguards advisories\nbecause of a lack of a standard process, including the absence of a numbering\nsystem. While OIG acknowledges that threat advisories have a different use and\nfollow a different internal process, neither of the advisories receives a formal\nregulatory review to ensure proper use. Therefore, information provided in\nFigure 1 regarding multiple uses of advisories appropriately applies to both types.\n\nNo change made to the report.\n\n             NRC Comment 7\n\n             7.     Page 21 of the draft report states:\n\n                    "As a result, safeguards advisories did not receive . . . ACRS\n                    technical review although this committee has a defined role in\n                    reviewing any generic communication that conveys\n                    requirements on licensees. Without ACRS review, NRC could\n                    impose unjustified requirements on its licensees."\n\n\n                                          37\n\x0c                                               Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n                    Please note that SAs do not impose requirements, and based\n                    on the above statement, an ACRS review is not required.\n\nOIG Response\nOIG acknowledges the possibility that not all of the safeguards advisories issued\nduring the period reviewed would have required an ACRS review. However,\nbecause OIG\xe2\x80\x99s technical review identified a number of advisories which\nconveyed apparent requirements, the likelihood exists that in some instances an\nACRS review would have been appropriate. Without the benefit of formal\nprocessing, the agency has no assurance that safeguards advisories would\nreceive an ACRS review where necessary.\n\nNo change made to the report.\n\n\n             NRC Comment 8\n\n             8.     On page 24 of the draft report, the following changes should be\n                    considered:\n\n                    "While NSIR senior managers acknowledge that there should be\n                    a clear, formal process for the development and issuance of\n                    safeguards advisories, they expressed a need for balance\n                    between protecting public openness (an agency goal) and\n                    common defense and security (the agency\xe2\x80\x99s mission). Currently\n                    there are differing opinions among NRC senior managers\n                    regarding the public\xe2\x80\x99s right to know about the information\n                    contained in the advisories. As of the date of this report, the\n                    public may still not know of the specific existence of specific\n                    safeguards advisories because they are not made publicly\n                    available even though many do not contain information actually\n                    designated classified by the agency as "Safeguards\n                    Information."\n\n                    The content of SAs can be classified as: National Security\n                    Information (i.e., Top Secret, Secret, Confidential); Safeguards\n                    Information; Exempt from Public Disclosure in Accordance with\n                    10 CFR 2.390; or a variety of federal agency sensitive\n                    unclassified information processes (see SECY-04-0191, dated\n                    October 19, 2004). These processes are defined and\n                    implemented. The above statement (without suggested\n                    changes) is somewhat misleading in that the information in the\n                    SAs is classified and protected in accordance with defined and\n                                         38\n\x0c                                                Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n                    formal NRC and federal government processes, and therefore\n                    "... differing opinions among NRC senior managers regarding\n                    the public\xe2\x80\x99s right to know about the information contained in the\n                    advisories" is irrelevant. Additionally, the idea that the public\n                    may, or may not, be aware of safeguard advisories is valid.\n                    However, the concept that ".... they are not made publicly\n                    available even though many do not contain information actually\n                    classified by the agency as "Safeguards Information" does not\n                    follow because containing "Safeguards Information" is only one\n                    of many very valid reasons the content of an SA is not released\n                    to the public.\n\nOIG Response\n(Agency comment, paragraph 1)\nThe requested rewording does not alter the intent of the paragraph.\n\n(Agency comment, paragraph 2)\nOIG recognizes that there are many bases for withholding safeguards advisories\nfrom public disclosure. However, to date, all safeguards advisories have been\nwithheld from public disclosure, including some that do not have a clear basis for\nwithholding.\n\nOIG made the requested revisions.\n\n             NRC Comment 9\n\n             9. On page 24, the statement about the Paperwork Reduction Act\n                incorrectly implies that an exemption clause is required if a\n                document is not an information request. An exemption clause is\n                required only if the document is an information request, but is\n                exempt from the requirement for an OMB control number.\n\n\nOIG Response\nOIG concurs with the nuance of this comment.\n\nThe statement was revised to accurately reflect the Paperwork Reduction Act\nrequirements.\n\n\n\n\n                                         39\n\x0c                                              Audit of NRC\xe2\x80\x99s Generic Communications Program\n\n\n\n             NRC Comment 10\n\n             10.    On page 29, in the first paragraph under "Internal Guidance on\n                    Processing Generic Communications," the first sentence\n                    through "For example" should be deleted and the paragraph\n                    should be started from "NRR Office . . ."\n\nOIG Response\nThe requested deletion does not impact the point of the paragraph.\n\nOIG deleted the language as requested.\n\n\n\n\n                                         40\n\x0c'